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Abstract 


During  flight  tests  and  during  post-processing  of  flight  data,  a  need  exists  to  validate  that  all  sensors  are 
working  properly  and  that  data  is  valid  after  experimentation.  Analytic  redundancy  methods  enable  data 
validation  using  multiple,  dissimilar  instruments  processed  through  the  vehicle  dynamic  system  model.  A 
design  methodology  is  presented  through  which  the  designer  chooses  the  instrumentation  for  flight  test  using 
output  separability  of  the  failure  modes  as  the  design  metric  for  measuring  system  integrity.  An  example  is 
presented-using-an-aircraft-navigation-systemT  -  -  — •-  -  -  - — - 

1  Introduction 

A  need  exists  for  robust  analysis  of  flight  test  data.  The  designer  wishes  to  implement  a  real  time  instru¬ 
mentation  package  capable  of  measuring  the  desired  parameters  effectively.  Since  the  system  and  aircraft 
are  often  experimental  operating  in  never  before  tested  stages  of  flight,  validation  of  instrument  and  aircraft 
performance  during  the  test  is  paramount  to  the  success  of  the  flight  test. 

Redundancy  is  typically  used  as  a  means  of  providing  a  check  against  failures.  A  redundant  instrument  may 
be  used  to  detect  a  failure,  but  not  isolate  to  a  particular  system.  A  bank  of  three  or  more  instruments 
may  be  used  in  a  voting  scheme  to  detect  and  isolate  a  failure.  However  simple  redundancy  methods  are 
costly  due  to  size,  power,  weight  and  value  of  redundant  systems.  While  this  method  is  typically  used  in 


production  aircraft  for  safety  of  life,  an  alternate  methodology  is  now  presented  which  enables  the  designer 
to  use  dissimilar. instrumentation  to  provide  integrity  of  operation.  In  this  way,  the  designer  may  make  use 
of  other  instrumentation  on  board  the  aircraft  to  provide  integrity  checks  while  decreasing  the  overall  cost 
of  the  instrumentation  system. 

Previously,  an  integrity  monitoring  system  is  proposed  which  possesses  five  important  qualitiesfl].  Two  of 
them  are  repeated  for  the  current  discussion.  These  are: 


•  Analytic  Redundancy.  The  fault  tolerant  scheme  provides  for  explicit  comparison  of  multiple, 
dissimilar  instruments  in  order  to  detect  faults  in  any  component  through  the  dynamic  modeling[2][3]. 

•  Un-modelled  Failure  Modes.  Only  the  fault  direction  in  the  dynamic  system  is  assumed,  not 
the  fault  magnitude  which  is  arbitrary'.  Therefore,  the  particular  failure  mode  of  each  instrument  is 
irrelevant.  A  step  jump,  ramp,  or  increased  noise  are  all  detectable  and  rejected  in  the  filter  structure. 


This  paper  discusses  the  analysis  of  output  separability.  The  goal  is  to  familiarize  the  reader  with  the  concept 
of  analytic  redundancy  and  relate  that  to  failure  modeling.  Then  a  method  for  determining  if  a  particular 
set  of  instruments  has  the  required  analytical  redundancy  is  presented. 

Several  examples  using  GPS/IMU/Baro  Altitude  are  presented.  Typical  strap  down  systems  include  a  three 
axis  accelerometer,  a  three  axis  gyro  and  a  baro  altimeter.  The  altimeter  is  used  to  enable  smoothing  of  the 
gravity  estimate  within  the  strap  down  equations  of  motion.  The  concepts  presented  are  used  to  show  under 
what  conditions  the  altimeter  failure  is  output  separable  from  the  accelerometer  triads. 


2  System  Failure  Modeling 


Fault  modeling  within  system  analysis  is  developed  based  on  linear,  state  space  methods.  In  essence,  the 
fault  is  modelled  as  an  input  to  the  dynamic  system.  Measurement  failures  are  discussed  in  the  next  section. 

A  typical  linear,  continuous  time,  stochastic  system  is  described  as  in  Eq.  1 


x  =  Ax  +  Bui  +  fn 
y  =  Cx  +  v 


(1) 

(2) 


where  x  is  the  state,  w  is  process  noise  or  uncertainty  in  the  plant  model,  and  y  is  the  target  fault  to  be 
detected.  The  measurements  y  are  also  corrupted  by  measurement  noise  i '(k).  All  of  the  system  matrices 
A,  C,  B,  and  /  may  be  considered  time  varying  and  are  continuously  differentiable. 

In  this  analysis,  only  the  direction  matrix  /  is  assumed  known.  The  fault  signal  generated  y  is  unknown  and 
arbitrary'.  In  this  way',  the  methodology'  is  generic  in  the  sense  that  no  assumptions  on  the  particular  failure 
are  made,  only  that  the  failure  affects  the  dynamics  in  a  particular  direction.  For  example,  it  is  possible  to 
state  that  the  body  frame  x-axis  accelerometer  only  enters  into  the  dynamics  through  the  x-axis  while  the 
particular  failure  mode  such  as  hard-over,  a  bias  jump,  or  simply  a  change  in  the  scale  factor  would  not  need 
to  be  predicted  a  priori. 

From  this  basic  modeling  problem,  a  set  of  filters  may  be  constructed  to  estimate  the  state  x.  Defining  the 
error  e  =  x  -  x,  where  x  is  the  estimated  state,  a  generic  observer[4]  uses  the  following  residual  process: 
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r  =  y  —  Cx  -  Ce 


(3) 


where  noise  terms  are  neglected  for  convenience.  The  term  x  represents  the  a  priori  state  estimate  of  the 
filter.  The  error  dynamics  are  described  in  terms  of  the  state  dynamics  and  the  filter  gain  L  as: 


e  =  Ae+  LCe  (4) 

If  a  fault  direction  /  is  present,  the  effect  on  the  estimator  becomes: 

e  =  Ae  +  LCe  +  ffi  (5) 

The  failure  now  acts  as  an  input  to  the  estimator  driving  the  state  error.  Note  that  the  effect  is  independent 
of  the  choice  of  gain  L  and  therefore  applicable  to  a  variety  of  linear  filtering  methods.  A  methodology  for 
constructing  filters  to  block  the  effect  of  the  failures  is  discussed  in  a  number  of  references  and  is  beyond  the 
scope  of  this  paper.  The  reader  should  refer  to  [4]  [6]  for  further  discussion  on  filtering  options. 

2.1  Faults  in  the  Measurements 

The  discussion  presented  applies  to  measurement  faults  as  well  as  plant  faults.  A  methodology  exists  for 
transforming  the  measurement  fault  into  a  plant  fault  equivalent  to  the  model  presented  in  Eq.  1.  The 
measurement  fault  problem  is  converted  to  an  equivalent  fault  detection  problem  with  a  fault  in  the  dynamics 
as  previously  described  using  the  following  method.  The  development  follows  Chung  and  Speyer [4]. 

The  measurement  model  is  now  modified  to  include  a  fault  pm  with  known  direction  E  as  in  Eq.  6. 

y{k )  =  C{k)x{k)  +  Epm  +  v{k)  (6) 


To  understand  how  this  measurement  fault  will  affect  the  state  estimation  problem,  a  transformation  is 
performed  to  find  an  equivalent  plant  fault  direction  F  in  the  state  dynamics  so  that  filtering  techniques 
developed  for  input  failures  may  be  applied  to.  the  measurement  failure  mode. 

The  residual  process  for  a  generic  observer  is  now  modified  by  the  measurement  fault  as: 

r  =  Ce  +  Efj,m  (7) 

A  transformation  is  made  through  the  definition  of  a  matrix  fm  which  satisfies 

E  =  C(k)fm  (8) 

The  solution  is  not  necessarily  unique  and  the  designer  is  free  to  pick  the  matrix  fm  to  minimize  computa¬ 
tional  complexity  so  long  as  the  matrix  fm  has  the  same  column  rank  as  the  rank  of  E. 

Using  this  definition  of  fm,  a  new  error  state  e  is  defined  as: 

e  =  e  +  fmPm  (9) 


and  the  residual  process  becomes: 


r  =  Ce 


(10) 


3 


Then  assuming  the  generic  observer  structure  in  Eq.  4,  the  effect  on  the  estimator  error  is  given  by: 

X  =  €  -j-  fmf^m  ”b  fmftm  (H) 

=  Ac  ~h  LCe  T 

fmf^rn  "b  /mM  m 

~  {A  d  LC)e  -f-  fmfl'm  {Afm  ~ 


This  estimator  structure  is  equivalent  to  estimating  a  dynamic  system  of  the  form: 

X  -  Ax  -f-  BuJ  /^mi  &rri\  (-12) 

where  fm  is  defined  as: 

Fm=[fm\Afm-  fm]  (13) 

In  short,  the  matrix  Fm  has  twice  the  rank  of  fm,  or  the  measurement  fault  takes  up  two  fault  directions  in  the 
dynamic  state.  Note  that  if  the  designer  chooses  a  time  invariant  fault  direction,  then  fm  =  0  simplifying 
the  calculation  of  Fm.  A  measurement  fault  is  equivalent  to  two  faults  in  the  dynamics  as  described  in 
Chung  [4]. 

Several  caveats  are  necessary  to  understand  this  transformation.  First,  the  filter  structure  defined  by  Eq.  11 
estimates  the  quantity  e  and  not  the  true  estimate  of  the  error.  However,  for  a  case  where  no  fault  exists 
(n  =  0)  the  filter  estimates  the  true  error  e.  Second,  the  meaning  of  is  unknown  since  the  original  fault 
signal  is  assumed  unknown  Just  as  no  restrictions  on  the  original  fault  are  made,  no  restrictions  on  the 
derivative  are  necessary. 


2.2  Continuous  to  Discrete  Time  conversion 


The  continuous  to  discrete  time  conversion  for  a  linear  system  is  given  in  Maybeck[7]  and  written  here  as: 

rt+At 


eATBuj{r)dr 


/t+At 

eAr  Jiidr 


(14) 


where  At  is  the  time  step  between  integrations.  Note  that  the  fault  signal  is  assumed  constant  over  the  time 
interval.  Defining  $  =  eAAt,  T  =  f*+At  eAr  Bdr,  and  F  =  eAr  fdr,  the  discrete  time  system  may  be 

re-written  as: 


x(k  +  1)  =  $x(k)  +  Tui(k)  +  F/i(k)  (15) 

If  /,  and  B  are  time  invariant,  and  if  we  further  approximate  $  =  I  +  A  At,  then  the  fault  and  noise  matrices 
may  be  approximated  as: 


T  =  (I  At  +  ^AAt2)B 

(16) 

F  =  {I  At  +  ~AAt2)f 

(17) 
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3  Output  Separability 


Two  issues  now  face  the  designer.  First,  can  the  particular  failure  mode  /  be  observed  with  the  current  set  of 
measurements  y.  Second,  if  multiple  failures  are  a  concern,  is  it  possible  to  distinguish  between  the  different 
failures.  The  first  problem  is  one  of  identification  of  a  failure.  The  second  problem  concerns  isolation  of  the 
failure  from  other  possible  failure  modes. 

To  assess  these  problems,  the  output  separability  test  is  used  to  define  the  degree  to  which  and  under  which 
conditions  the  failure  is  identifiable  and  the  capacity  for  the  current  filter  structure  to  isolate  the  failure  from 
other  possible  failures  in  the  system.  The  test  is  similar  to  the  observability /controllability  test  in  linear 
algebra[7].  The  test  for  output  separability  is  a  rank  test  of  a  matrix  formed  from  the  measurement  matrix 
C,  the  fault  direction  F  and  occasionally  the  dynamics  $>.  Discrete  time  notation  is  used  in  this  case.  Note 
that  the  theory  presented  assumes  time  invariant  fault  direction  F  otherwise  the  rank  test  becomes  more 
complex.  Refer  to  Chung[4]  for  the  time  varying  case. 

If  the  matrix  is  full  rank,  then  each  of  the  faults  within  F  is  output  separable.  Note  that  the  maximum 
number  of  faults  that  are  distinguishable  in  a  dynamic  system  is  at  most  the  size  of  the  state  space. 

3.1  Fault  Identification 

For  a  given  fault  direction  F,  the  discrete  time  rank  test  is  defined  as  the  rank  of  the  matrix: 

rank[C$sF]  (18) 

where  6  is  the  smallest  integer  S  >  0  for  which  the  matrix  is  full  rank.  If  the  matrix  is  not  full  rank  for  any 
choice  of  S  then  the  fault  direction  is  not  identifiable  with  the  given  instruments.  More  instruments  or  a 
different  set  of  dynamics  are  necessary  to  observe  the  given  fault. 

For  the  continuous  time  case,  the  rank  test  is  simply 

rank[CAs  /]  (19) 

where  A  is  the  continuous  time  dynamics  matrix  and  /  is  the  continuous  time  fault  direction  matrix. 

3.2  Fault  Isolation 

Suppose  that  the  following  dynamic  system  defines  the  process  under  discussion: 

x(k  +  1)  =  $x(fc)  +  rw(fc)  +  Fifii(k)  +  F2/J.2(k)  (20) 

where  Fi  and  F2  represent  two  independent  fault  directions  representing  different  possible  failures  of  the 
system.  In  order  to  determine  if  the  two  failures  are  identifiable,  it  is  sufficient  to  perform  the  following  rank 
tests  separately: 

rank[C$sF-i\\rank[C§&F2]  (21) 
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If  both  matrices  are  full  rank  then  each  fault  is  identifiable.  In  other  words,  both  faults  can  be  seen  through 
the  current  set  of  measurements.  However,  in  order  to  be  able  to  tell  if  it  is  possible  to  isolate  one  failure 
mode  from  the  other,  both  faults  must  be  combined  into  a  single  fault  matrix  Fc  =  [Fj ;  F2]  and  the  rank 
test  performed  as: 

rank[C$sFc ]  (22) 

If  this  matrix  is  full  rank,  then  both  sets  of  failures  are  distinguishable  using  the  current  set  of  measurements. 
For  time  varying  matrices,  the  test  condition  changes  slightly[4] . 

For  time  varying  systems,  the  faults  may  be  output  separable  during  some  portions  of  a  trajectory  and  not 
output  separable  during  other  portions.  Using  the  rank  test  presented,  the  designer  may  distinguish  and 
design  dynamic  test  cases  required  to  guarantee  the  absence  of  a  failure  before  a  particular  test  begins.  For 
instance,  in  the  next  section  an  example  is  presented  in  which  the  failure  modes  sue  not  output  separable 
except  under  dynamic  conditions.  The  designer  may  design  a  maneuver  for  which  the  output  separability 
matrix  is  full  rank  before  beginning  an  experiment  which  will  include  long  periods  where  failures  are  not 
observable. 


4  GPS/INS  Example 


An  example  is  now  presented  where  a  GPS  receiver  is  used  to  detect  failures  in  a  strap-down  INS  with  baro 
altitude  aiding.  In  this  example,  the  GPS  position  and  velocity  estimates  are  used  to  detect  failures  in  the 
accelerometers  or  the  baro-aided  altitude. 

First  the  error  dynamics  are  presented.  Then  the  GPS  measurements  are  presented.  The  design  options  for 
output  separability  are  then  presented.  Finally,  a  numerical  example  is  presented  to  determine  the  required 
dynamics  for  distinguishing  between  failures. 

4.1  Strap  Down  INS  Equations  of  Motion 

The  strap  down  INS  equations  of  motion  are  described  primarily  in  Britting[8]and  utilized  with  GPS  and  INS 
blending  functions  in  Williamson[ll],  The  goal  is  to  use  the  input  measurements  of  acceleration  and  angular 
rate  in  the  body  axis  frame  combined  with  an  altimeter  to  estimate  the  position,  velocity,  and  attitude  of 
the  vehicle. 

The  measurements  are  defined  by  the  following  set  of  error  equations: 

fS  =  fB  +wa  +  pQ 

vfg  =  CjgUjfg  +  Wg  (23) 

h  =  h  +  Wh  +  Hh,  (24) 

The  term  /-®  represent  the  specific  force  measured  from  the  accelerometers  measured  in  the  estimated  body 
frame  B.  The  process  noise  wa  is  assumed  a  zero  mean  Gaussian.  Note  that  the  fault  fia  is  actually 
composed  of  three  separate  faults,  one  for  each  body-axis  direction.  A  goal  of  this  work  will  be  to  show 
how  each  accelerometer  fault  is  isolatable  from  the  other.  The  gyro  measurements  measure  the  angular 
velocity  of  the  estimated  body  frame  B  to  the  inertial  frame  I.  The  rotation  matrix  C§  represents  the  error 
in  the  estimated  body  frame  relative  to  the  true  body  frame.  The  noise  wg  is  assumed  a  zero  mean  Gaussian. 
No  fault  is  assumed  here  for  simplicity. 

Finally,  the  altitude  measurements  h  is  defined  in  terms  of  the  true  altitude  plus  noise  Wh  and  a  fault 
direction  fih- 
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The  continuous  time  kinematic  dynamics  for  the  vehicle  are  definedjwilliamson]  as: 

pB  _  yB 

VE  =  (ufB  x  uifE  x  PE)  +  CgfB 
-2 wfE  x  VE  +  gB 

Qb  =  \op%B  (25) 

where  PE  and  VE  are  the  position  and  velocity  in  the  ECEF  coordinate  frame,  QE  is  the  quaternion  defining 
the  rotation  from  the  body  to  the  ECEF  coordinate  frame,  fB  is  the  specific  force  in  the  body  frame  and 
gE  is  the  gravity  vector  in. the  ECEF  coordinate  frame.  The  u)fE  term  represents  the  angular  velocity  of  the 
Earth.  The  x  operator  represents  the  vector  cross  product  and  the  matrix.  Note  that  in  the  current  case, 
the  pressure  altimeter  is  only  used  in  the  calculation  of  the  gravity  vector  gB  [8] . 

The  strap  down  equations  of  motion  are  defined  in  terms  of  the  ECEF  coordinate  frame  for  ease  of  use  with 
GPS  measurement  blending[ll]. 

4.2  Baro  Altimeter  Aiding 

Pressure  altimeters  are  typically  used  to  aid  navigation  grade  inertial  units.  The  independent  measurement 
of  altitude  provides  a  means  of  stabilizing  the  strap  down  equations  of  motion  for  the  inherent  instability  in 
the  gravity  calculation.  Without  altitude  aiding,  the  inertial  errors  grow  rapidly. 

The  calculation  of  the  gravity  vector  for  the  present  case  in  the  ECEF  coordinate  frame  is  defined  as: 


Ke  0  0 

0  iG,  0 
0  0  Kp 


pE 


(26) 


where  g  is  the  gravitational  constant,  the  constants  Ke  and  Kp  are  the  equatorial  and  polar  gravitational 
constants  given  by  the  J2  gravity  term  [8]: 


Ke  =  l  +  p2(-^)\l-5sin2(L)) 


RP  =  1  +  f  J2(pr^)2(1  -  5sin2(L))  (28) 

The  gravitational  constants  are  calculated  using  the  radius  of  the  Earth  at  the  equator  (re)  and  the  geocentric 
latitude  L. 


The  norm  of  the  vector  defining  the  location  of  the  instrument  relative  to  the  center  of  the  Earth  Pg  is 
calculated  using  a  nonlinear  estimation  technique  by  combining  the  estimated  ECEF  position  PE  from  the 
strap  down  equations  of  motion  and  the  independent  altitude  measurement  fi0.  Note  that  fr0  is  only  a  scalar 
representing  the  norm  of  the  ECEF  vector  using  the  current  altitude  measurement  and  given  the  estimated 
latitude  and  longitude  of  the  vehicle  from  the  strap  down  equations  of  motion.  From  these  two  quantities, 
a  nonlinear  vector  estimation  process  is  performed[8]  as: 


l|Psl!n  =  (^)K(ll^ll)n-N  (29) 

The  value  of  k  is  a  design  parameter  and  is  typically  an  integer  greater  than  zero.  Using  these  estimates  in 
Eq.  26  results  in  an  estimate  of  gravity  which  combines  the  pressure  altimeter  and  the  strap  down  estimates. 
Note  that  the  altimeter  is  only  used  to  help  smooth  the  gravity  estimate  and  is  not  used  as  an  external 
measurement. 
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4.3  Strap  Down  Error  Model 


Britting[8]  defines  the  error  in  Eq.  25  using  perturbation  methods.  The  goal  is  to  transform  the  error  into  a 
linearized  form: 


Si  =  ASx  +  Bw  +  Fafxa  +  FkfJ-h  (30) 

where  5x  is  the  linearized  error  in  the  state  estimate,  w  is  the  process  noise,  /ia  axe  the  faults  in  the  accelerom¬ 
eters  with  associated  direction  matrix  Fa,  and  Hh  is  the  fault  in  the  altimeter  with  associated  error  matrix 
Fh ■  The  perturbed  dynamics  are  presented  here  without  proof  in  the  ECEF  coordinate  frame[8][ll][10].  The 
error  vector  6x  for  the  strap-down  system  is  defined  as: 


Sx  = 


'  SPE  ' 
SVE 
Sq 


(31) 


The  dynamics  matrix  A  is  defined  as: 


A  = 


03z3  hx3  03x3 

G-(flf£)2  —2  SlfB  -2  Gf[/fix] 
O313  033,3  ~^EB 


The  term  f2  is  the  matrix  cross  product  of  the  angular  rotation  vector  u>,  or  fi  =  [wx]  defined  as: 


n  —  [ux]  = 


0  -u)x  u>2 

U!x  0  ~U)y 

~UJZ  Uy  0 


(32) 


(33) 


The  term  G  is  the  perturbation  of  gravity  due  to  vehicle  position  over  the  Earth  [8], 

G  =  cu2[(k-2)7+^^[P£x][P£x]  (34) 

The  same  definition  holds  for  the  position  cross  product  matrix  [P£x]  as  for  the  angular  velocity  cross 
product  matrix.  The  Schuler  frequency  u>s  is  defined  as  approximately  ■ 


The  term  Cg  is  the  estimated  rotation  matrix  from  the  body  frame  to  the  ECEF  frame  which  is  different 
from  the  true  rotation  matrix  C§  by  a  small  rotation  error  defined  by  5q§. 

The  term  5qE  is  the  linearized  error  in  the  estimated  quaternion  defined  as: 

Sq§  =  [  Sqi  Sq2  Sq3  ]T  (35) 

with  the  last  quaternion  term  neglected  to  first  order,  but  recalculated  using  the  quaternion  constraint 
equation:  1  =  y/qf  +  92+93+  ?4- 


The  process  noise  vector  w  has  dimension  7x1  and  is  defined  as: 


w  = 


wa 

wg 

wh 


(36) 
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The  process  noise  matrix  B  has  dimension  9x7  and  is  defined  as: 


03x3 

03x3 

03x1 

H  = 

C§ 

03x3 

K,  ,2  PE 

||Pfi|| 

(37) 

.  03x3 

^3x3 

03X1 

For  the  current  case,  the  fault  direction  matrix  is  similar  to  the  process  noise  matrix  and  contains  all  three  of 
the  accelerometer  faults  and  the  altimeter  fault.  The  accelerometer  fault  matrix  is  defined  as  a  9  x  3  matrix 


as: 

fa  = 


03xi 

03x1 


(38) 


The  altimeter  fault  matrix  is  defined  as: 

03x1 

K,  ,2  PE 

03xl 


The  altimeter  is  not  actually  a  measurement  within  the  current  dynamical  system.  Instead,  it  is  modelled 
as  an  input  to  the  dynamics  similar  to  the  accelerometers  and  rate  gyros.  The  altitude  value  from  the 
altimeter  is  typically  used  to  estimate  the  gravity  vector  and  stabilize  the  numerical  instability[8]  of  the 
gravity  calculation.  Therefore  the  altimeter  noise  and  fault  modes  enter  through  the  velocity  dynamics  of 
the  system  where  errors  in  the  estimate  of  the  gravity  vector  g  or  the  perturbation  matrix  G  influence  the 
estimates. 


We  note  that  the  fault  direction  matrices  are  time  varying  functions.  However,  for  the  present  analysis  the 
matrices  are  treated  as  time  invariant  which  is  true  for  slowly  varying  systems.  More  advanced  analysis  is 
necessary  to  identify  the  time  varying  components  for  the  output  separability[?] ,  but  are  not  necessary  for 
the  present  analysis. 


4.4  GPS  Measurements 


The  GPS  system  provides  both  position  and  velocity  measurements.  GPS  measurements  are  treated  exten¬ 
sively  [13]  and  [12].  A  simplified  error  model  can  be  defined  in  the  following  way  [10]. 


P  —  P  +  Cp5x  +  up  (40) 

V=V  +  CvSx+uv  (41) 

where  P  and  V  are  the  a  priori  estimates  of  the  position  and  velocity  in  the  ECEF  frame.  The  noise  terms  vp 
and  vv  represent  zero  mean  Gaussian  noise.  This  configuration  corresponds  with  the  formulation  in  Hong[10] 
and  corresponds  to  the  ’’Loosely  Coupled”  formulation  in  Williamson[9], 

The  measurement  matrix  Cp  is  a  3  x  9  matrix  and  is  defined  as: 

Cp  =  [  I  0  0  ]  (42) 

where  it  is  assumed  that  the  GPS  antenna  and  IMU  are  co-located.  For  the  case  where  the  two  instruments 
are  separated,  refer  to[ll].  The  velocity  measurement  matrix  is  also  3x9  and  is  defined  as: 

Cv  =  [  0  I  0  ]  (43) 
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These  measurement  structures  are  now  used  to  identify  failures  in  the  accelerometers  and  altimeter.  The  goal 
is  to  utilize  only  the  navigation  state  output  of  the  strap  down  system  combined  with  the  GPS  measurements 
and  the  GPS/INS  EKF  sensor  fusion  model  presented  to  detect  failures  in  any  and  all  of  the  instruments 
described. 

4.5  Accelerometer  Faults  Output  Separability 

The  test  for  output  separability  of  the  accelerometers  is  a  rank  test  of  CFa.  In  this  case,  we  see  that: 


which  is  a  6  x  3  matrix.  Note  that  since  the  rotation  matrix  C§  is  full  rank,  the  system  meets  the  rank  test 
criterion  and  all  three  accelerometers  are  output  separable.  Note  also  that  only  the  velocity'  measurements 
are  necessary  to  observe  the  accelerometer  failures  and  that  the  position  measurements  are  not  necessary'. 
If  only  position  estimates  are  available  then  the  rank  test  fails.  Instead,  the  dynamics  must  be  employed  to 
detect  the  failures  as: 

CpAfa  =  Cf  (45) 

which  show's  that  accelerometer  failures  are  output  separable  using  either  position  or  velocity  measurements. 
The  term  At  represents  the  time  step  between  measurements  over  w'hich  the  dynamics  are  integrated. 

Given  the  large  uncertainty  in  GPS  position  as  compared  to  GPS  velocity  measurements,  GPS  velocity 
measurements  are  likely  to  be  more  accurate  and  faster  to  detect  failures.  Further,  the  use  of  the  dynamics 
indicates  that  the  accelerometer  failures  will  not  be  visible  in  the  first  time  step  that  they  occur.  Only  after 
the  failure  has  been  integrated  through  the  dynamics  will  position  estimates  be  capable  of  seeing  the  failure. 

4.6  Altimeter  Output  Separability 

The  test  for  output  separability  of  the  altimeter  is  a  rank  test  of  the  matrix  CFh-  In  this  case,  again  we  see 
that  the  failure  is  readily'  observable  through  the  velocity  measurements  as: 

Cvfh  =  KU*  pp-jj-  (46) 

However,  if  position  measurements  are  used,  again,  we  require  the  dynamics  to  make  the  altimeter  fault 
observable: 

CpAfh=Ku}2s  ppjj  (47) 

In  this  way',  the  altimeter  is  shown  to  be  output  separable  using  either  velocity  or  position  estimates. 

4.7  Combined  Isolation 

Combining  the  output  separability  for  both  requires  extra  work  on  the  part  of  the  designer.  Clearly,  both  the 
altimeter  and  accelerometers  are  individually  output  separable.  However,  if  only  GPS  position  or  velocity' 
estimates  are  available,  the  tw'o  sets  of  measurements  are  not  output  separable. 
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(48) 


The  output  separability  matrix  for  the  combined  system  using  only  velocity  measurements  is: 

Cv  [fafh]  =  [  Cf  j 


Note  that  while  the  column  rank  of  the  output  separability  matrix  is  4,  the  row  rank  is  constrained  to 
only  3.  In  other  words,  if  only  3  measurements  are  available,  there  are  not  enough  linear  directions  to 
distinguish  one  failure  from  the  other  three  entirely.  This  result  is  intuitively  satisfying  since  with  the  given 
velocity  measurements,  it  should  be  impossible  to  distinguish  between  a  vertical  accelerometer  failure  and 
an  altimeter  failure  if  the  IMU  is  at  rest  and  aligned  with  the  Earth  tangent  frame.  A  failure  is  detected, 
but  isolation  is  not  possible  with  only  velocity  measurements.  A  similar  problem  exists  using  only  position 
estimates. 


If  both  position  and  velocity  estimates  are  available,  then  the  faults  are  output  separable,  Although  dynamics 
are  assumed  in  the  use  of  the  position  estimates.  The  new  output  separability  matrix  is  defined  as: 


Cp 

cv 


A[fafh ] 


rB  ,2  pe 

||P9||  _ 

-2QfEC§  —2VtfEKU^  pr-fl 


(49) 


The  matrix  is  a  size  6x4  matrix.  However,  even  at  this  point,  the  matrix  has  a  rank  of  only  three. 

This  result  is  not  intuitive  since  it  should  be  easy  to  distinguish  a  reasonable  jump  in  the  vertical  channel . 
from  an  accelerometer  fault.  However,  this  analysis  assumed  that  the  output  of  the  navigation  state  was 
used  and  corrected  with  the  GPS  measurements.  In  other  words,  the  blended  navigation  state  generated  by 
the  strap  down  equations  of  motion  does  not  have  output  separable  failure  modes  for  both  the  altimeter  and 
the  accels  since  the  altimeter  is  used  to  generate  the  gravity  estimate,  but  not  used  to  correct  the  altitude 
directly.  Therefore  the  four  fault  directions  are  not  output  separable. 

Note  that  several  combinations  of  accelerometers  and  the  altimeter  are  outputseperable.  For  instance  the 
lateral  and  longitudinal  accelerometers  are  output  separble  from  the  altimeter.  The  result  presented  shows 
that  the  altimeter  failure  is  not  ouptut  separable  from  the  entire  accelerometer  triad. 


4.7.1  Discussion 


The  lack  of  output  separability  does  not  preclude  the  ability  to  detect  failures  in  either  the  accelerometer 
or  the  altimeter.  The  results  merely  indicate  that  there  is  some  combination  of  accelerometer  failures  which 
will  effectively  mask  the  altimeter  failure.  Likewise,  there  is  some  combination  of  two  accelerometers  and 
the  altimeter  fault  that  is  indistinguishable  from  a  fault  in  the  third  accelerometer.  The  results  presented 
are  not  restricted  to  a  single  fault  case  where  only  one  accelerometer  or  the  altimeter  has  a  failure.  The 
results  consider  the  possibility  that  all  instruments  have  a  failure  and  show  that  in  that  case  all  faults  are 
not  observable. 

If  we  restrict  ourselves  to  a  single  instrument  fault,  all  instruments  may  be  distinguishable.  The  rotation 
matrix  Cg  provides  the  attitude  direction  of  the  accelerometer  triad  relative  to  the  ECEF  coordinate  frame. 

pE 

The  vertical  line  of  sight  vector  pr-jj  defines  the  direction  of  the  altimeter.  It  is  clear  from  analysis  that  any 
one  accelerometer  fault  is  distinguishable  from  the  altimeter  failure  so  long  as  the  accelerometer  is  not  aligned 
with  local  tangent  frame  so  that  one  accelerometer  fault  direction  is  co-linear  with  the  vertical  channel. 

Analytically,  it  is  possible  to  compare  the  altimeter  fault  with  any  one  of  the  three  accelerometer  faults  to 
get  effectively  the  same  result.  So  long  as  any  one  accelerometer  does  not  align  with  the  altimeter,  and  if 
we  are  restricted  to  a  single  fault  case  where  only  one  of  the  accels  or  the  altimeter  may  fail,  then  all  faults 
may  be  observed. 
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5  Conclusion 


In  this  paper,  the  use  of  the  output  separability  metric  for  determining  the  amount  of  analytic  redundancy  is 
presented.  It  is  shown  that  the  metric  enables  the  designer  to  chose  instruments  necessary  to  detect  failures 
■within  the  plant  model.  A  systematic  methodology  for  detecting  failures  between  dis-similax  instruments  is 
presented. 

An  example  is  presented  in  which  a  GPS  is  used  to  detect  accelerometer  and  altimeter  failures.  Prom 
the  simplified  model  employed,  the  accelerometers  and  altimeter  failures  are  each  observable,  and  output 
separable  using  either  position,  velocity,  or  both  position  and  velocity.  The  complete  accelerometer  triad 
failures  are  not  output  separable  from  altimeter  failures  using  only  the  navigation  state  from  the  strap  down 
equations  of  motion.  Combinations  of  accelerometers  and  the  altimeter  are  output  separable.  If  we  restrict 
to  a  single  fault  case,  then  all  instruments  are  output  separable  from  each  other  so  long  as  the  accel  is  not 
co-linear  with  the  altimeter,  which  is  a  reasonable  assumption  during  at  least  some  portions  of  flight  test 
due  to  aircraft  motion. 

Future  work  will  show'  alternative  schemes  for  implementing  fault  detection  on  the  complete  inertial  naviga¬ 
tion  system  which  will  identify  all  failures. 
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Fault  Detection  Problem 


■  Multiple  Instruments 

■  Example:  GPS,  IMU,  Baro- 
Altimeter 

■  Use  Analytic  Redundancy  to 
Detect  Instrument  Failures: 

■  GPS:  Position  and  Velocity 

■  IMU:  Accel  and  Angular 
Rates 

■  Baro-Alt:  Pressure  Altitude 

■  Questions: 

□  Can  I  detect  instrument 
failures  using  the  given  set  of 
measurements? 

□  How  do  I  measure  the  amount 
of  analytic  redundancy? 
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Dynamics  of  the  System 
and  Fault  Detection  Filter 


■  A  linear  time-invariant  system  with  q  actuator, 
sensor  and  plant  faults  is  used  as  a  design 
model 

q 

x  =  Ax+Bu+jjFi/u.,  y  =  Cx 

i  =  l  * 

□  f.  represents  the  a  priori  known  fault  direction 

□  pi  represents  the  unknown  fault  magnitude 

■  Fault  detection  filter  is  a  linear  observer  as 

x  =  Ax+Bu+L(y-Cx),  r  =  y-Cx 


□  r  is  called  the  residual 

□  L  is  determined  so  that  r  lies  in  a  fixed  direction 


Dynamic  Error  Equation 

■  The  dynamic  equation  of  the  error  e=x-x  is 

e  =  (A-LC)e+ 

/  =  1 

■  The  residual  can  be  written  as  r=Ce 
i  Output  Separability: 

□  If  CF.*0,  select  a  filter  gain  L  such  that  A-LC  is 
stable  and  F;  is  an  eigenvector  of  A-LC  . 

□  When  faulty,  occurs, 


r  =  Ce  =  C?  e' 


(A-LC  )(t- 


z)Fi/uidx  =  C  f  eA‘(,~T)FifJid x — CF.  f  eX‘(,~z)  Midx 

•*n  -»n 


The  fault  can  be  detected  because  the  residual  becomes 
nonzero 

The  fault  can  be  identified  because  the  residual  is  nonzero  in 
the  direction  of  CF, 


Sensor  Fault  Model 

□  Fault  in  the  /- th  sensor  can  be  modeled  as 

x  =  Ax  +  Bu 
y  =  Cx+ Efx 

where  e  is  a  column  of  zeros  except  a  one 
in  the  /'-th  position  and  m  represents  the 
unknown  fault  magnitude 

□  Define  a  new  state  x  =  x+fn  where  Cf  =  E. 
Then,  the  sensor  fault  can  be  modeled  as  a 
two-dimensional  additive  term  in  the  state 
equation  as: 


x  =  Ax  +  Bu  +  [-  Af  /]  ^ 
y  =  Cx  LF - 


Output  Separablility 

□  Consider  a  system  with  q  faults, 

x  =  Ax+Bu  +  y'j  Fi/ui 
y  =  Cx  ,=1 

□  The  fault  detection  filter  places  each  fault  F.  into  its 

detection  space  Ti  =  F{  AFt  .  Ak‘ Ft  [ where  k(  is 

the  smallest  integer  such  that  CAk,Fi  *  0 

□  When  there  is  no  fault,  the  residual  is  zero.  When  a 
fault  occurs,  the  residual  is  nonzero  in  the  direction  of: 

CAk‘Fi 

□  In  order  to  isolate  the  fault,  CAk‘Fi  have  to  be 
independent.  This  is  called  the  output  separability 
condition 
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Example:  Accel  and  Baro-Alt 
Failures 


Assume  18  State  Filter  Example: 

□  3  pos,  3  vel 

□  3  attitude  (quaternion) 

Use  GPS  Range  and  Velocity 
measurements 

Use  IMU  as  Inputs  to  Dynamics 
a  Accels 

□  Gyros 

Utilize  Baro-Altitude  Smoothing 
System  is  Observable  with  either 
Position  or  Velocity 
Check  for  Output  Separability 

□  Accel  Faults 

□  Baro  Faults 
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Check  Accel  Fault  Output 


Separability: 

■  Accelerometer  Faults 

□  One  for  each  direction,  3  total 

□  Enter  through  velocity  estimates 

■  Three  Cases 

□  (1)  Position  measurements  only 

□  (2)  Position  integrated  through 
dynamics 

□  (3)  Velocity  measurements 

■  Conclusion: 

□  All  three  accel  failures  output 
separable. 

□  Velocity  measurements  provide 
direct  measurement. 

□  Position  measurements  require 
integration  through  dynamics 


Measurement  C p  —  £/ 
Matrices  „  r 

Cr=[  0 


Fault  Model 


Three  Cases 


(l)CPFAcc  =  oM 

(2  )cpafAcc  =  c| 

(3  )CrFAcc=C§ 


Check  Baro-Altitude  Output 


Separability 

■  Barometer  faults 

o  1  fault  only 

□  Enters  through  velocity  (gravity 
smoothing). 

■  Three  Cases 

o  (1)  Position  Measurements  Only 

□  (2)  Position  Integrated  through 
Dynamics 

□  (3)  Velocity  Measurements 

■  Conclusion: 

□  Baro-Altitude  is  Output  Separable 

□  Velocity  measurements  provide 
direct  measurement. 

□  Position  measurements  require 
integration  through  dynamics 


MeasurementC'^,  —  £/ 
Matrices  __  r 

Cr=[  0 


Fault  Model 


PBaro  =  KO)s 


Three  Cases 


(1)  CrF,„.  =  03 
(2  )CfAFBaro  = 


(3  )CvFBoro  = 


Check  Observability  of  Accels 
AND  Baro-Altimeter 


Three  Cases  r 

□  (1)  Position  (with  Dyn)  (l)CpA[FAcc  C§ 

□  (2)  Velocity  [_ 

□  (3)  Position  and  Velocity 

Conclusion:  (2Xr[^  ^w>]=  cl 

□  Need  at  least  as  many  L 

measurements  as  faults 

□  Accels  Triad  and  Baro  Alt  fc  1 
NOT  output  separable  (3)|  ^  A[FAcc  ^Baro  ]  I 


(2 qf- 
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Discussion 

Failures  are  not  all  simultaneously  output  separable 
Individual  failures  are  still  output  separable 

P 

Accel  channel  not .  ECEF  _£  ^jE 

aligned  with  altimeter:  F \cEF 

Restriction  to  a  single  fai  ure  enables  output 
separability  on  an  instrument  by  instrument  basis 


CpA[Fa 


C-  1 
4  1 


^ecef 


Fault  Detection  Filter  Design 

■  Check  output  separability:  (CF,  or  CAnF) 

□  Faults  using  dynamics  take  ionger  to  detect 

□  Multiple  faults  may  need  dynamics  for  separation 

■  Construct  filters  to  ensure  output  separability 

□  Add  measurements 

□  Define  dynamics  with  better  fidelity 

□  Restrict  to  single  failure  cases  only 

□  Always  check  for  system  observability  before  output  separability 

■  Use  Fault  Detection  Filters  Designs  to  mitigate  effect  of  filter  faults 

□  Post-processed  filter  design  only  uses  subset  of  instruments 

□  Fault  Detection  Filters  block  failures  and  operate  sequentially 

□  Shiryayev  Test  for  declaring  based  on  residual  history  and  probability 


Effect  on  Flight  Test  Design 

■  Integrity  is  the  probability  of  detecting  a  failure 
(dependent  on  output  separability) 

■  If  output  separability  test  fails,  system  does  not  have  integrity 
against  that  failure 

■  Analysis  can  be  performed  for  single  fault  or  multiple  fault  chains 

■  Continuity  is  defined  as  the  ability  to  maintain  integrity 
through  the  flight  test 

■  If  a  single  fault  occurs,  is  there  integrity  on  the  other  systems? 

■  If  not,  design  more  in.  Use  output  separability  to  design 

■  Availability  is  the  output  separability  metric 
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Conclusions 

■  Output  separability  defines  system 
availability  of  integrity 

■  Judicious  choice  of  dynamic  modeling  and 
measurements  can  increase  integrity 
without  additional  hardware  cost 

■  Filters  may  be  constructed  to  detect  and 
isolate  failures  based  on  the  output 
separability  technique 


